Wireshark question

neil4933
neil4933 used Ask the Experts™
on
Hi

I am trying to use Wireshark to trace a conversation between a server and client. I ran the Wireshark capture and have the file in front of me. But I have some questions I was hoping experts could help with;

i) I want to view the source and destination ports.... I went to "Edit Preferences" and added a column for Source Port and Destination Port. But - in the view, they are labelled as "New Column" and "New Column", the option to name the Column in "Edit Preferences" is greyed out, anyone know how to change this?

ii) When the capture starts, for the Columns I added, sometimes I can see the port number, sometimes the name of the procotol (I assume that's what it is)...how can I change it so that only the port NUMBER is displayed?

iii) I would like to see which device intiated a conversation. Sure, I can see Source IP and Destination IP, however I don't know which one actually started the conversation. I assume I need to look at the "Info" tab, there are entries there such as "ACK" and "PSH, ACK" - does anyone know how these can help me?

iv) Also in info, I can see the "Seq" number, and the "Ack" number, what do these relate to?

v) Is there any way to right click a packet and view the entire conversation related to that packet (as in highlight the entries in the display)

Any help would be much appreciated!!!!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Engineer
Distinguished Expert 2018
Commented:
1) after adding the field and choosing the number. Click on the Left column in the overview above on the field you just added.  Then you can change them. Yep annoying. (You can reorder field by dragging them arround there too)

2) Select the Src Port or Dst Port with the attribute 'unresolved'

3) A TCP link starts with a Syn, the response should be Syn+Ack and the final acceptance = Ack on that.

4) Relative offsets in the Up & down stream. During Syn these number are synchronised. And the max difference between the Seq# and the Ack# is the sending window, or "data underway".
If they are equal there is no data underway and nothing is missing.

5) Rightclick on a packet. You can choose: Colorize Conversation to let them spring out in color, or you can filter them or you can follow the stream (which effectively takes all the data out of the packets and shows it)..

Hope it helps.
Top Expert 2009
Commented:
>> the option to name the Column in "Edit Preferences" is greyed out, anyone know how to change this?

If you go to Edit > Preferences > User Interface > Columns (which is where you were), select the column whose name you want to modify, and then click once on that name, you should be able to modify it. Don't modify it via the "Field name" field at the bottom.


>> ii) When the capture starts, for the Columns I added, sometimes I can see the port number, sometimes the name of the procotol (I assume that's what it is)...how can I change it so that only the port NUMBER is displayed?

When choosing the type of the column, choose "Src port (unresolved)".


>> iii) I would like to see which device intiated a conversation. Sure, I can see Source IP and Destination IP, however I don't know which one actually started the conversation. I assume I need to look at the "Info" tab, there are entries there such as "ACK" and "PSH, ACK" - does anyone know how these can help me?

You can sort all captured packets by number (or timestamp), and look at the first packet in the stream you're looking at. To make it easy for yourself, you can right-click on a packet, and choose "Follow ... Stream" (where ... is the protocol of your choice), and WireShark will apply a filter to only show that stream. It should be easy to find the first packet in the stream, and thus the initiating party.

Also have a look at Statistics > Flow Graph.


>> iv) Also in info, I can see the "Seq" number, and the "Ack" number, what do these relate to?

These are part of the TCP protocol. Refer to RFC 793 (http://tools.ietf.org/rfc/rfc793.txt). The protocol keeps track of packets with a sequence number, and of the acks for each packet with the corresponding number.


>> v) Is there any way to right click a packet and view the entire conversation related to that packet (as in highlight the entries in the display)

See my earlier response for iii)
1) In the preferences window when you've added the new port, double click the label in the label column and rename to whatever you want
2) Change the number in the preference window so it is "unresolved"
3) The conversation, assuming it is TCP, will commence with a SYN packet, which is the first part of the 3 way handshake prior to transmission - see http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment
4) The seq number is the packet sequence number....there is a packet sequence number (where the packet appears in that conversation) and also a relative sequence number (where the TCP packet appears in your capture)
5) You can right click on a packet in a conversation and "follow tcp stream" to isolate a specific conversation.

In addition to this you can use filters such as

ip.addr==10.202.4.1               - This will filter so the ip address listed must be visible in the packet
ip.dst==10.202.4.1                 - This filters on destination address
ip.src==10.202.4.1                 - This filters on source address

You can play around with filters and there is a nice graphical interface to build expressions to filter on.....by clicking on the filters button at the top of the screen.

If you're likely to be using wireshark a lot, I'd recommend getting started with the book "Practical Packet Analysis" by Chris Sanders.....it's well written and easy to follow with downloadable capture files that you can work through...

Hope this helps...
>>Any help would be much appreciated!!!! <<
check out http://www.wiresharktraining.com/
In addition to books and online training they offer free classes.  One is scheduled for this evening.  If you miss it, the re-run them on a regular basis.
I concur with steveoskh for the training... Laura's DVDs go for $300 each (e.g. http://www.amazon.com/dp/B0012VPCRC ) so the free wireshark jumpstart class is an excellent deal... one of the things she usually shows in that, step-by-step, is focusing on a particular 'conversation' and even reassembling any file[s] exchanged like that.

Gerald Combs (wireshark's author, and ethereal's before that) is usually sitting on the 'side' in the chat area answering specific questions during the classes, too.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial